Japan Vulnerability NotesJVN:08342147JVN#08342147: WindLDR and WindO/I-NV4 store sensitive information in cleartext
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
20.2%
PLC programming software “WindLDR” and Operator Interfaces’ Touchscreen Programming Software “WindO/I-NV4” provided by IDEC Corporation store sensitive information in cleartext form (CWE-312).
Impact
An attacker who obtained the product’s project file may obtain user credentials of the PLC or Operator Interfaces. As a result, an attacker may be able to manipulate and/or suspend the PLC and Operator Interfaces by accessing or hijacking them.
Solution
Update the Software
Apply the appropriate update according to the information provided by the developer.
The developer has released the following updates that contain a fix for this vulnerability:
- WindLDR Ver.9.2.0
- WindO/I-NV4 Ver.3.1.0
Products Affected
- WindLDR Ver.9.1.0 and earlier
- WindO/I-NV4 Ver.3.0.1 and earlier
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
20.2%